b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n Information Technology Management Letter for the\nFederal Emergency Management Agency Component\n  of the FY 2013 Department of Homeland Security\n              Financial Statement Audit\n\n\n\n\nOIG-14-76                                April 2014\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0\n                                      April\xc2\xa024,\xc2\xa02014\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\xc2\xa0\xc2\xa0            Adrian\xc2\xa0Gardner\xc2\xa0\n                             Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0                            Federal\xc2\xa0Emergency\xc2\xa0Management\xc2\xa0Agency\xc2\xa0\n\xc2\xa0\n                             Edward\xc2\xa0Johnson\xc2\xa0\n                             Chief\xc2\xa0Financial\xc2\xa0Officer\xc2\xa0\n\xc2\xa0                            Federal\xc2\xa0Emergency\xc2\xa0Management\xc2\xa0Agency\xc2\xa0\n\xc2\xa0\nFROM:\xc2\xa0                       Richard\xc2\xa0Harsche\xc2\xa0\n                             Acting\xc2\xa0Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\xc2\xa0                    Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0\n                             Federal\xc2\xa0Emergency\xc2\xa0Management\xc2\xa0Agency\xc2\xa0Component\xc2\xa0of\xc2\xa0\n                             the\xc2\xa0FY\xc2\xa02013\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0\n                             Statement\xc2\xa0Audit\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0information\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0\nLetter\xc2\xa0for\xc2\xa0the\xc2\xa0Federal\xc2\xa0Emergency\xc2\xa0Management\xc2\xa0Agency\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa02013\xc2\xa0\nDepartment\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit.\xc2\xa0This\xc2\xa0report\xc2\xa0contains\xc2\xa0\ncomments\xc2\xa0and\xc2\xa0recommendations\xc2\xa0related\xc2\xa0to\xc2\xa0information\xc2\xa0technology\xc2\xa0internal\xc2\xa0control\xc2\xa0\ndeficiencies\xc2\xa0that\xc2\xa0were\xc2\xa0not\xc2\xa0required\xc2\xa0to\xc2\xa0be\xc2\xa0reported\xc2\xa0in\xc2\xa0the\xc2\xa0Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report.\xc2\xa0\xc2\xa0\n\xc2\xa0\nWe\xc2\xa0contracted\xc2\xa0with\xc2\xa0the\xc2\xa0independent\xc2\xa0public\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0LLP\xc2\xa0(KPMG)\xc2\xa0to\xc2\xa0\nconduct\xc2\xa0the\xc2\xa0audit\xc2\xa0of\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0fiscal\xc2\xa0year\xc2\xa02013\xc2\xa0consolidated\xc2\xa0\nfinancial\xc2\xa0statements.\xc2\xa0The\xc2\xa0contract\xc2\xa0required\xc2\xa0that\xc2\xa0KPMG\xc2\xa0perform\xc2\xa0its\xc2\xa0audit\xc2\xa0according\xc2\xa0to\xc2\xa0\ngenerally\xc2\xa0accepted\xc2\xa0government\xc2\xa0auditing\xc2\xa0standards\xc2\xa0and\xc2\xa0guidance\xc2\xa0from\xc2\xa0the\xc2\xa0Office\xc2\xa0of\xc2\xa0\nManagement\xc2\xa0and\xc2\xa0Budget\xc2\xa0and\xc2\xa0the\xc2\xa0Government\xc2\xa0Accountability\xc2\xa0Office.\xc2\xa0KPMG\xc2\xa0is\xc2\xa0\nresponsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0March\xc2\xa011,\xc2\xa02014,\xc2\xa0and\xc2\xa0the\xc2\xa0\nconclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n\xc2\xa0\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\nOffice of Inspector General,\nU.S. Department of Homeland Security, and\n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security Federal Emergency Management Agency\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards generally\naccepted in the United States of America and Government Auditing Standards, we considered internal\ncontrol over financial reporting (internal control) as a basis for designing our auditing procedures for the\npurpose of expressing our opinion on the financial statements. In conjunction with our audit of the\nfinancial statements, we also performed an audit of internal control over financial reporting in accordance\nwith attestation standards issued by the American Institute of Certified Public Accountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated December\n11, 2013, included internal control deficiencies identified during our audit that, in aggregate, represented a\nmaterial weakness in information technology (IT) controls and financial system functionality at the DHS\nDepartment-wide level. This letter represents the separate limited distribution report mentioned in that\nreport, of matters related to the Federal Emergency Management Agency (FEMA).\n\nDuring our audit we noted certain matters involving internal control and other operational matters that are\npresented for your consideration. These comments and recommendations, all of which have been discussed\nwith the appropriate members of management and communicated through Notices of Findings and\nRecommendations (NFRs), are intended to improve internal control or result in other operating efficiencies\nand are summarized as described below.\n\nWith respect to FEMA\xe2\x80\x99s financial systems\xe2\x80\x99 IT controls, we noted certain matters in the areas of security\nmanagement, access controls, configuration management, segregation of duties, and contingency planning.\nThese matters are described in the General IT Control Findings and Recommendations section of this\nletter.\n\nThe Table of Contents identifies each section of the letter. We have provided a description of key FEMA\nfinancial systems and IT infrastructure within the scope of the FY 2013 DHS financial statement audit in\nAppendix A, and a listing of each IT NFR communicated to management during our audit in Appendix B.\n\nDuring our audit we noted certain matters involving financial reporting internal controls (comments not\nrelated to IT) and other operational matters, including certain deficiencies in internal control that we\nconsider to be significant deficiencies and material weaknesses, and communicated them in writing to\nmanagement and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a separate\nletter to the Office of Inspector General and the DHS Chief Financial Officer.\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to light all\ndeficiencies in policies or procedures that may exist. We aim, however, to use our knowledge of DHS\xe2\x80\x99\norganization gained during our work to make comments and suggestions that we hope will be useful to\nyou.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any other\npurpose.\n\nVery truly yours,\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                 Federal Emergency Management Agency\n\n                                          September 30, 2013\n\n\n                                       TABLE OF CONTENTS\n\n                                                                                        Page\nObjective, Scope, and Approach                                                           2\n\nSummary of Findings                                                                      4\n\nGeneral IT Control Findings and Recommendations                                          6\n\n   Findings                                                                              6\n\n       Security Management                                                               6\n\n       Access Controls                                                                   6\n\n       Configuration Management                                                          7\n\n       Segregation of Duties                                                             7\n\n       Contingency Planning                                                              7\n\n   Recommendations                                                                       8\n\n       Security Management                                                               8\n\n       Access Controls                                                                   8\n\n       Configuration Management                                                          9\n\n       Segregation of Duties                                                             9\n\n       Contingency Planning                                                              9\n\nIT Application Controls                                                                  10\n\n\n                                            APPENDICES\n\nAppendix                                        Subject                                 Page\n           Description of Key FEMA Financial Systems and IT Infrastructure within the    11\n   A\n           Scope of the FY 2013 DHS Financial Statement Audit \n\n   B       FY 2013 IT Notices of Findings and Recommendations at FEMA                    15\n\n\n\n\n\n                                                  1\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                 Federal Emergency Management Agency\n\n                                          September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH\n\n\nObjective\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we performed an\nevaluation of selected general information technology (IT) controls (GITCs) and IT application controls\nat FEMA to assist in planning and performing our audit engagement.\n\nScope\n\nThe scope of our GITC and IT application control test work is described in Appendix A, which provides a\ndescription of the key FEMA financial systems and IT infrastructure within the scope of the FEMA\ncomponent of the FY 2013 DHS consolidated financial statement audit.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office, formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\n\xef\x82\xb7\t Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n   \xef\x82\xb7\t In conjunction with our test work of security management GITCs, limited after-hours physical\n      security testing at select FEMA facilities was conducted to identify potential control deficiencies\n      in non-technical aspects of IT security.\n\n\xef\x82\xb7\t Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n\xef\x82\xb7\t Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provide reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n\n\n                                                    2\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                 Federal Emergency Management Agency\n\n                                          September 30, 2013\n\n\n   \xef\x82\xb7\t We performed technical information security testing for key FEMA network and system devices.\n      The technical security testing was performed from within select DHS facilities and focused on\n      production devices that directly support DHS\xe2\x80\x99 and FEMA\xe2\x80\x99s financial processing and key general\n      support systems.\n\n\xef\x82\xb7\t Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n   to manage who can control key aspects of computer-related operations.\n\n\xef\x82\xb7\t Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                     3\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                 Federal Emergency Management Agency\n\n                                          September 30, 2013\n\n\n                                      SUMMARY OF FINDINGS\n\nDuring FY 2013, FEMA took corrective action to address certain prior year IT control deficiencies. For\nexample, FEMA made improvements over designing and implementing certain configuration\nmanagement and security authorization controls over FEMA information systems, as well as\nstrengthening and improving controls around vulnerability management and logical access controls.\nHowever, during FY 2013, we continued to identify GITC deficiencies related to controls over security\nmanagement (including deficiencies over physical security and security awareness), access control,\nconfiguration management, segregation of duties, and contingency planning for FEMA core financial and\nfeeder systems and associated General Support System environments.\n\nCollectively, the IT control deficiencies limited FEMA\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these deficiencies negatively impacted FEMA\xe2\x80\x99s internal controls over financial reporting and its\noperations. We consider these deficiencies, in aggregate, to contribute to the IT material weakness at the\nDepartment level under standards established by the American Institute of Certified Public Accountants.\nIn addition, based upon the results of our test work, we noted that FEMA contributes to the Department\xe2\x80\x99s\nnon-compliance with the relevant federal financial management systems requirements of the Federal\nFinancial Management Improvement Act of 1996.\n\nOf the 28 IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing, 26\nwere repeat findings, either partially or in whole from the prior year, and 2 were new findings. The 28 IT\nNFRs issued represent deficiencies in all five FISCAM GITC categories.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem from:\n\n    1.\t Improper or incomplete security authorization activities and supporting artifacts and \n\n        documentation; \n\n    2.\t Insufficient logging of system events and monitoring of audit logs;\n    3.\t Inadequately designed and ineffective access control policies and procedures relating to the\n        management of logical access to financial applications, databases, and support systems;\n    4.\t Patch, configuration, and vulnerability management control deficiencies within systems;\n    5.\t Inadequately designed and ineffective configuration management policies and procedures; and\n    6.\t The lack of alternate processing capabilities.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and FEMA financial data could be exploited, thereby compromising the integrity of FEMA\nfinancial data used by management and reported in FEMA\xe2\x80\x99s and DHS\xe2\x80\x99 financial statements.\n\n\n\n\n                                                     4\n\n\x0c                                  Department of Homeland Security\n                             Information Technology Management Letter \n\n                               Federal Emergency Management Agency\n\n                                        September 30, 2013\n\n\nWhile the recommendations made by us should be considered by FEMA, it is the ultimate responsibility\nof FEMA management to determine the most appropriate method(s) for addressing the deficiencies\nidentified.\n\n\n\n\n                                                 5\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                 Federal Emergency Management Agency\n\n                                          September 30, 2013\n\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\n\nFindings\n\nDuring our audit of the FY 2013 DHS financial statements, we identified the following FEMA GITC and\nIT entity-level control deficiencies that, in the aggregate, contribute to the IT material weakness at the\nDepartment level. Those FEMA GITC deficiencies that we determined to be \xe2\x80\x9cmore significant\xe2\x80\x9d in posing\na risk to the integrity of FEMA financial data are identified in Appendix B.\n\nSecurity Management\n\n\xef\x82\xb7\t Individuals with significant information security oversight and management responsibilities subject to\n   role-based training were not fully identified by management, and compliance with specialized training\n   requirements was not consistently tracked.\n\n\xef\x82\xb7\t Security authorization activities and supporting documentation and artifacts for the Integrated\n   Financial Management Information System (IFMIS), Non-Disaster Grants (NDGrants), and\n   Emergency Support (ES) \xe2\x80\x93 including Authorization to Operate (ATO) memoranda, risk assessments,\n   privacy threshold analyses, security plans, IT contingency plans (CPs) and associated plan test results,\n   security control assessments, Security Assessment Reports, and corresponding Plans of Action and\n   Milestones \xe2\x80\x93 were not completed in accordance with DHS and NIST requirements.\n\nAfter-Hours Physical Security Testing\n\nOn July 2 and July 11, 2013, we performed after-hours physical security testing to identify risks related to\nnon-technical aspects of IT security. These non-technical IT security aspects included physical access to\nprinted or electronic media, equipment, or credentials residing within a FEMA employee\xe2\x80\x99s or contractor\xe2\x80\x99s\nwork area or shared workspaces which could be used by others to gain unauthorized access to systems\nhousing financial or other sensitive information. The testing was performed at various FEMA locations in\nthe Washington, DC, metropolitan area that process, maintain, and/or have access to financial data.\n\nWe observed 78 instances where passwords, sensitive IT information (such as server names or IP\naddresses), unsecured or unlocked laptops and external media, and printed materials marked \xe2\x80\x9cFor Official\nUse Only\xe2\x80\x9d or containing sensitive Personally Identifiable Information were accessible by individuals\nwithout a \xe2\x80\x9cneed to know\xe2\x80\x9d.\n\nAccess Controls\n\n\xef\x82\xb7\t Audit logs for components of the IFMIS environment (including the application, operating system,\n   and IFMIS and Payment and Reporting System (PARS) databases) were not consistently reviewed by\n   management in accordance with DHS policy (including the issue that audit records were not\n   generated to demonstrate evidence of review on dates without relevant security activities), and IFMIS\n   audit logging policies and procedures were outdated.\n\n\n\n\n                                                     6\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter \n\n                                Federal Emergency Management Agency\n\n                                         September 30, 2013\n\n\n\xef\x82\xb7\t Controls to generate, and perform and document independent reviews of, required audit records of\n   events on NDGrants, Emergency Management Mission Integrated Environment (EMMIE), and ES\n   were not implemented.\n\n\xef\x82\xb7\t Strong password requirements were not enforced on the NDGrants, EMMIE, and ES databases, and\n   documentation supporting exceptions to DHS password requirements was incomplete.\n\n\xef\x82\xb7\t Procedures for managing access to the NDGrants, EMMIE, and ES applications did not adequately\n   identify elevated privileges within the systems or controls to review and authorize access to such\n   privileges.\n\n\xef\x82\xb7\t Account management activities on FEMA financial applications (IFMIS, NDGrants, EMMIE, and\n   ES) and supporting databases, including authorization of new and modified access, were not\n   consistently or timely documented or implemented in accordance with DHS and FEMA policy.\n\nConfiguration Management\n\n\xef\x82\xb7\t Password, security patch management, and configuration deficiencies were identified during the\n   vulnerability assessment on hosts supporting IFMIS, NDGrants, EMMIE, the National Flood\n   Insurance Program (NFIP) Local Area Network (LAN), and financially significant segments of the\n   FEMA Enterprise Network (FEN) and end-user computing environment.\n\n\xef\x82\xb7\t Controls to validate the completeness and integrity of changes to the IFMIS, NDGrants, EMMIE, and\n   ES production environments were not implemented.\n\n\xef\x82\xb7\t Configuration management policies, procedures, and processes for documenting and implementing\n   configuration changes to FEN network devices were not finalized and approved for a majority of the\n   year, or fully implemented.\n\n\xef\x82\xb7\t Documentation supporting the approval and testing of configuration changes to the IFMIS\n   environment was not consistently maintained.\n\nSegregation of Duties\n\n\xef\x82\xb7\t FEMA personnel with financial reporting, management, and oversight roles were granted IFMIS\n   application access that was excessive and/or not consistent with the principles of least privilege and\n   segregation of duties, and existing system documentation did not adequately define the\n   implementation of certain access groups and associated privileges granted to these personnel.\n\nContingency Planning\n\n\xef\x82\xb7\t Alternate processing sites for NDGrants, EMMIE, and ES were not established; consequently, testing\n   of those systems\xe2\x80\x99 CPs, including restoration to an established alternate processing site, was not\n   performed.\n\n\n\n                                                   7\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                 Federal Emergency Management Agency\n\n                                          September 30, 2013\n\n\nRecommendations\n\nWe recommend that the FEMA Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO), in coordination with the DHS OCIO and the DHS OCFO, make the following\nimprovements to FEMA\xe2\x80\x98s financial management systems and associated IT security program.\n\nSecurity Management\n\n\xef\x82\xb7\t Develop and implement monitoring controls over background investigation processes to ensure that\n   investigations for all types of Federal employees and contractors are consistently performed and\n   centrally tracked in accordance with DHS policy.\n\n\xef\x82\xb7\t Enhance existing policies and procedures related to initial and periodic specialized training for\n   individuals with significant information security responsibilities and implement additional monitoring\n   controls to ensure that all individuals possessing specific roles and positions associated with\n   significant information security responsibilities are identified and compliance with training\n   requirements is tracked.\n\n\xef\x82\xb7\t Document or update all required security authorization artifacts for IFMIS, NDGrants, and ES in\n   accordance with DHS policy and NIST guidance, and revise and implement appropriate monitoring\n   controls to ensure continued compliance with applicable criteria related to security authorization\n   activities and supporting documentation.\n\n\xef\x82\xb7\t Continue existing efforts to formally document and implement controls and relevant policies and\n   procedures, including conducting periodic checks of FEMA workspaces and enforcing employee\n   sanctions as appropriate, to ensure that sensitive DHS and FEMA data are secured properly in\n   accordance with DHS requirements.\n\nAccess Controls\n\n\xef\x82\xb7\t Develop and implement monitoring controls over the audit log review process on the IFMIS\n   application, operating system, and the IFMIS and PARS database logs to ensure that audit logs are\n   reviewed by management on a periodic basis and are documented, and audit log review evidence is\n   maintained in accordance with FEMA and DHS requirements.\n\n\xef\x82\xb7\t Configure audit logs for the NDGrants, EMMIE, and ES databases and applications to ensure that\n   auditable events are recorded at an appropriate level of detail to attribute activity to individual users,\n   retained, and appropriately reviewed by independent security management personnel.\n\n\xef\x82\xb7\t Implement technical controls to ensure that passwords for NDGrants, EMMIE, and ES databases\n   accounts are configured in accordance with FEMA and DHS requirements. If necessary and justified\n   by operational and business requirements, ensure that requests for exceptions from DHS password\n   requirements clearly document all affected user and service accounts subject to deviations from\n   standard controls.\n\n\n\n                                                     8\n\n\x0c                                  Department of Homeland Security\n                             Information Technology Management Letter \n\n                               Federal Emergency Management Agency\n\n                                        September 30, 2013\n\n\n\xef\x82\xb7\t Review and revise existing system documentation and procedures to identify elevated privileges\n   within the NDGrants, EMMIE, and ES applications and controls to review and authorize access to\n   such privileges.\n\n\xef\x82\xb7\t Develop and implement monitoring controls over the account management process to ensure that all\n   users are granted access to FEMA system(s) in accordance with FEMA and DHS requirements.\n\nConfiguration Management\n\n\xef\x82\xb7\t Implement the specific vendor-recommended corrective actions detailed in the NFRs that were issued\n   for deficiencies identified during our vulnerability assessments.\n\n\xef\x82\xb7\t Implement formal technical and management controls to systematically track and review\n   modifications to the IFMIS, NDGrants, EMMIE, and ES production environments to ensure the\n   completeness and integrity of change reports and logs.\n\n\xef\x82\xb7\t Fully implement configuration management policies and procedures to ensure that configuration\n   changes to FEN network devices are consistently documented and authorized by FEMA management\n   in accordance with DHS policy and the FEN configuration management plan.\n\n\xef\x82\xb7\t Develop and implement monitoring controls over the IFMIS configuration management process to\n   ensure that changes deployed to the IFMIS production environment are properly approved and tested,\n   and sufficient evidence is retained.\n\nSegregation of Duties\n\n\xef\x82\xb7\t Document and implement controls to manage the assignment of groups and corresponding roles and\n   functionality within the IFMIS application by identifying conflicting roles, revising system\n   documentation as appropriate, and analyzing and modifying existing assignments to address\n   violations of segregation of duties and least privilege principles.\n\nContingency Planning\n\n\xef\x82\xb7\t Dedicate resources to complete actions associated with the migration of FEMA systems to the DHS\n   Enterprise Data Center; formally establish and implement controls around alternate processing\n   capabilities for NDGrants, EMMIE, and ES; and conduct and document the results of tests of those\n   systems\xe2\x80\x99 CPs, including simulated recovery from contingency events at the designated alternate\n   processing site(s).\n\n\n\n\n                                                 9\n\n\x0c                                  Department of Homeland Security\n                             Information Technology Management Letter \n\n                               Federal Emergency Management Agency\n\n                                        September 30, 2013\n\n\n                                  IT APPLICATION CONTROLS\n\nWe concluded that application controls over IFMIS, NDGrants, EMMIE, ES, and PARS could not be\nrelied upon for purposes of our FY 2013 audit procedures because of the nature of the GITC deficiencies\nidentified and discussed above. As a result, we did not test application controls for these financial\nsystems.\n\nHowever, during the FEMA component of the FY 2013 DHS financial statement audit we did conduct\ntesting over certain application controls on key financial systems supporting NFIP and did not identify\nany control deficiencies.\n\n\n\n\n                                                  10\n\n\x0c                       Department of Homeland Security\n                  Information Technology Management Letter \n\n                    Federal Emergency Management Agency\n\n                             September 30, 2013\n\n\n\n\n                             Appendix A \n\nDescription of Key FEMA Financial Systems and IT Infrastructure \n\n within the Scope of the FY 2013 DHS Financial Statement Audit \n\n\n\n\n\n                                     11\n\n\x0c                                                                                                Appendix A\n\n                                    Department of Homeland Security\n                               Information Technology Management Letter\n                                 Federal Emergency Management Agency\n                                          September 30, 2013\n\n\nBelow is a description of significant FEMA financial management systems and supporting IT\ninfrastructure included in the scope of the FEMA component of the DHS FY 2013 financial statement\naudit.\n\nIntegrated Financial Management Information System (IFMIS)\n\nIFMIS is the official accounting system of FEMA and maintains all financial data for internal and\nexternal reporting. IFMIS is comprised of five subsystems: Funding, Cost Posting, Disbursements,\nAccounts Receivable, and General Ledger. The application is a Commercial Off-The-Shelf software\npackage developed and maintained by Digital Systems Group Incorporated. IFMIS interfaces with PARS,\nES, ProTrac, Smartlink (Department of Health and Human Services [HHS]), Treasury Information\nExecutive Repository (Department of the Treasury), Secure Payment System (Department of the\nTreasury), Grants Management System (Department of Justice), United States Coast Guard Credit Card\nSystem, Credit Card Transaction Management System (CCTMS), Assistance to Firefighters Grants,\neGrants, and Enterprise Data Warehouse and Payroll (Department of Agriculture \xe2\x80\x93 National Finance\nCenter). The IFMIS production environment is located in Virginia (VA).\n\nPayment and Reporting System (PARS)\n\nPARS is a standalone web-based application. The PARS database resides on the IFMIS UNIX server and\nis incorporated within the certification and accreditation boundary for that system. Through its web\ninterface, PARS collects Standard Form 425 information from grantees and stores the information in its\nOracle 9i database. Automated scheduled jobs are run daily to update and interface grant and obligation\ninformation between PARS and IFMIS. PARS is located in VA.\n\nNon-Disaster Grant Management System (NDGrants)\n\nNDGrants is a web-based system that supports the grants management lifecycle and is used by external\nstakeholders and grantees, via a public Web site, to apply for grants and monitor the progress of grant\napplications and payments and view related reports, and by the FEMA Grants Program Directorate,\nProgram Support Division, via an internal Web site, for reviewing, approving, and processing grant\nawards. NDGrants interfaces with two other systems: FEMA\xe2\x80\x99s internal Integrated Security and Access\nControl System (ISAAC), a component of the Network Access Control System used for user\ncredentialing and role-based access; and the HHS Grants.gov system, used for publishing grant\nsolicitations and downloading applications. NDGrants is located in VA.\n\nEmergency Management Mission Integrated Environment (EMMIE)\n\nEMMIE is an internal Web-based grants management solution used by FEMA program offices and user\ncommunities directly involved in the grant lifecycle associated with the Public Assistance Grant Program\nand the Fire Management Assistance Grant Program. It is also designed to interface with other\ngovernment entities and grant and sub-grant applicants (e.g., states and localities). EMMIE provides\nfunctionality for public entities and private-non-profit entities to create and submit grant applications and\nfor FEMA users to review and award applications, generate and review relevant mission critical reports,\n\n\n                                                     12\n\n\x0c                                                                                            Appendix A\n\n                                   Department of Homeland Security\n                              Information Technology Management Letter\n                                Federal Emergency Management Agency\n                                         September 30, 2013\n\n\nprocess amendments, and conduct close-out activities. Interfaces exist between the EMMIE system,\nIFMIS, and ISAAC. EMMIE is located in VA.\n\nEmergency Support (ES)\n\nES is an internal FEMA application for pre-processing disaster-related financial transactions, including\nallocation, commitment, obligation, mission assignment, and payment requests from other internal and\nexternal systems. ES serves as the primary interface to IFMIS. It also allows FEMA users to process\ndisaster housing payments, perform payment recoupment, and conduct other administrative tasks. In\naddition to IFMIS, ES has interfaces to several other FEMA systems, including:\n\n    \xef\x82\xb7\t ISAAC (organizational and personnel data and team setup);\n    \xef\x82\xb7\t Emergency Coordination (incident and disaster declarations);\n    \xef\x82\xb7\t Enterprise Coordination and Approvals Processing System (commitment and mission assignment\n       [obligation] requests);\n    \xef\x82\xb7\t Hazard Mitigation Grants Program (allocation and obligation requests);\n    \xef\x82\xb7\t Individual Assistance (payment and recoupment requests);\n    \xef\x82\xb7\t Public Assistance (obligation and allocation requests);\n    \xef\x82\xb7\t Automated Deployment Database (personnel data);\n    \xef\x82\xb7\t Assistance to Firefighters Grants (obligation, invoice, and vendor requests);\n    \xef\x82\xb7\t EMMIE (obligation requests);\n    \xef\x82\xb7\t Mitigation Electronic Grants Management System (obligation requests); and\n    \xef\x82\xb7\t CCTMS (expenditure requests).\n\nES is located in VA.\n\nTraverse\n\nTraverse is the general ledger application currently used by the NFIP Bureau and Statistical Agent to\ngenerate the NFIP financial statements. Traverse is a client-server application that runs on the NFIP LAN\nWindows server environment located in Maryland. The Traverse client is installed on the desktop\ncomputers of the NFIP Bureau of Financial Statistical Control group members and interfaces with a\nMicrosoft Structured Query Language database hosted on an internal segment of the NFIP LAN. Traverse\nhas no known external system interfaces.\n\nTransaction Recording and Reporting Processing (TRRP)\n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO)\ncompanies and the Direct Servicing Agent (DSA) for the NFIP. TRRP also supports the WYO program,\n\n\n                                                   13\n\n\x0c                                                                                           Appendix A\n\n                                  Department of Homeland Security\n                             Information Technology Management Letter\n                               Federal Emergency Management Agency\n                                        September 30, 2013\n\n\nprimarily by ensuring the quality of financial data submitted by the WYO companies and DSA to TRRP.\nTRRP is a mainframe-based application that runs on the NFIP mainframe logical partition in Connecticut.\nTRRP has no known system interfaces.\n\n\n\n\n                                                  14\n\n\x0c                     Department of Homeland Security\n                Information Technology Management Letter \n\n                  Federal Emergency Management Agency\n\n                           September 30, 2013\n\n\n\n\n                           Appendix B \n\nFY 2013 IT Notices of Findings and Recommendations at FEMA\n\n\n\n\n\n                                   15\n\n\x0c                                                                                                                                                 Appendix B\n\n                                                            Department of Homeland Security\n                                                       Information Technology Management Letter\n                                                         Federal Emergency Management Agency\n                                                                  September 30, 2013\n\n\n    FY 2013 NFR #                                 NFR Title                                    FISCAM Control Area          New       Repeat        More\n                                                                                                                            Issue      Issue     Significant1\n    FEMA-IT-13-01    Non-Compliance with Alternate Processing Site Requirements for Key         Contingency Planning                     X            X\n                     Financial Systems\n    FEMA-IT-13-02    Insufficient Audit Log Controls for Key Financial Systems                     Access Controls                       X            X\n    FEMA-IT-13-03    Inconsistent Implementation of DHS Background Investigation                Security Management                     X\n                     Requirements for FEMA Federal Employees and Contractors\n    FEMA-IT-13-04    Incomplete Implementation of Role-Based Training for Individuals           Security Management                     X\n                     with Significant Information Security Responsibilities\n    FEMA-IT-13-05    Non-Compliant Security Authorization Package for NDGrants                  Security Management                      X\n    FEMA-IT-13-06    Non-Compliance with DHS and FEMA Password Requirements for                    Access Controls                      X\n                     Oracle Databases Supporting Certain Financial Applications\n    FEMA-IT-13-07    Incomplete Exception Request for Password Controls on Oracle               Security Management2\n                     Databases Supporting Certain Financial Applications\n    FEMA-IT-13-08    Security Awareness Issues Identified during After-Hours Physical           Security Management                     X\n                     Security Testing at FEMA                                                                                  X\n    FEMA-IT-13-09    Weaknesses Identified during the Vulnerability Assessment on IFMIS          Access Controls;                        X            X\n                                                                                             Configuration Management\n    FEMA-IT-13-10    Weaknesses Identified during the Vulnerability Assessment on the            Access Controls;                        X            X\n                     NFIP LAN                                                                Configuration Management\n\n1\n NFRs designated as \xe2\x80\x9cMore Significant\xe2\x80\x9d represent control deficiencies that we determined to pose an increased risk to the integrity of FEMA financial data.\n2\n NFR FEMA-IT-13-07 was reported in conjunction with FEMA-IT-13-06 as part of GITC deficiencies related to access controls in our Independent Auditors\xe2\x80\x99\nReport dated December 11, 2013.\n\n\n\n\n                                                                             16\n\n\x0c                                                                                                                                 Appendix B\n\n                                                      Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                   Federal Emergency Management Agency\n                                                            September 30, 2013\n\n\nFY 2013 NFR #                                NFR Title                                FISCAM Control Area       New     Repeat      More\n                                                                                                                Issue    Issue   Significant1\nFEMA-IT-13-11   Weaknesses Identified during the Vulnerability Assessment on         Configuration Management             X           X\n                Financially Significant Segments of the FEMA Enterprise Network\n                and End-User Computing Environment\nFEMA-IT-13-12   Weaknesses Identified during the Vulnerability Assessment on         Configuration Management             X\n                EMMIE\nFEMA-IT-13-13   Weaknesses Identified during the Vulnerability Assessment on             Access Controls;                 X           X\n                NDGrants                                                             Configuration Management\nFEMA-IT-13-14   Non-Compliant Security Authorization Package for ES                    Security Management                X\nFEMA-IT-13-15   Lack of Controls to Validate Completeness and Integrity of Changes   Configuration Management             X           X\n                Deployed to Production for EMMIE, NDGrants, and ES\nFEMA-IT-13-16   Incomplete Account Management Documentation for the EMMIE                Access Controls         X                    X\n                Application\nFEMA-IT-13-17   Incomplete Account Management Documentation for NDGrants                 Access Controls                  X           X\nFEMA-IT-13-18   Incomplete Account Management Documentation for ES                       Access Controls                  X           X\nFEMA-IT-13-19   Excessive or Inappropriate Access to IFMIS                               Access Controls;                             X\n                                                                                       Segregation of Duties\nFEMA-IT-13-20   Lack of EMMIE System Owner Approval for Database Accounts                Access Controls                  X           X\n                                                                                                                  X\nFEMA-IT-13-21   Lack of ES System Owner Approval for Database Accounts                   Access Controls                  X\nFEMA-IT-13-22   Lack of NDGrants System Owner Approval for Database Accounts             Access Controls                  X           X\nFEMA-IT-13-23   Inconsistent Authorization of New and Modified IFMIS Application         Access Controls                  X           X\n                User Access\nFEMA-IT-13-24   Lack of Adequate Configuration Management over Network Devices       Configuration Management             X\n                Supporting Financial Systems\n\n                                                                       17\n\n\x0c                                                                                                                                 Appendix B\n\n                                                      Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                   Federal Emergency Management Agency\n                                                            September 30, 2013\n\n\nFY 2013 NFR #                                NFR Title                                FISCAM Control Area       New     Repeat      More\n                                                                                                                Issue    Issue   Significant1\nFEMA-IT-13-25   Inconsistent Activities and Incomplete Documentation Supporting      Configuration Management             X           X\n                Configuration Changes for the IFMIS Application\nFEMA-IT-13-26   Inconsistent Review of IFMIS Audit Logs                                  Access Controls                  X           X\nFEMA-IT-13-27   Lack of Controls to Validate Completeness and Integrity of Changes   Configuration Management             X           X\n                Deployed to Production for the IFMIS Production Environment\nFEMA-IT-13-28   Non-Compliant Security Authorization Package for IFMIS                 Security Management       X\n\n\n\n\n                                                                       18\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n   Appendix A\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Financial Officer\n   Chief Information Officer\n   Chief Information Security Officer\n   Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                                            OIG-14-76\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'